CVE-2025-58812

The Best Restaurant Menu by PriceListo WordPress plugin is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 1.4.3. The vulnerability arises from improper neutralization of user-supplied input during web page generation, as noted in the official description. This permits an attacker to embed arbitrary JavaScript into the plugin's output.

The attack requires a privileged user (e.g., an administrator or editor) to be tricked into performing an action, such as clicking a crafted link or submitting a malicious form [1]. Once the attacker injects the script, it is stored on the server and executed whenever a guest visits the compromised page.

Successful exploitation enables the attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads, into the website. These payloads execute in the context of visitors' browsers, potentially leading to session hijacking, defacement, or further compromise [1].

As an immediate mitigation, users are advised to update the plugin to the latest patched version. If an update is not possible, consultation with a hosting provider or web developer is recommended [1]. The vulnerability carries a CVSS v3 base score of 6.5 (Medium), indicating a notable risk that may be leveraged in mass-exploit campaigns.